Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 9:09 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 19 posts ]  Go to page Previous  1, 2
Author Message
PostPosted: Tue Sep 17, 2013 7:39 pm 
Offline

Joined: Mon Aug 13, 2012 9:58 pm
Posts: 23
where can i get the PIV applet >_<

I wanna start testing the smartcard capabilities for a couple clients who run tax preparation offices.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Sep 24, 2013 7:21 pm 
Offline

Joined: Tue Sep 24, 2013 7:16 pm
Posts: 7
--edit--
[SOLVED]

the howto on the top of this forum is for OSX viewtopic.php?f=26&t=1171
however i had it all working already appearantly.

deinstalled openSC, all still working fine :)

Just install GPG-Tools, if you can get your hands on a linux box then thah might be an ideal location for personalization of the key, keeps OSX clean :)

Just needed to import my public key and set trust to 5, Ultimately. THEN and ONLY THEN pgp recognizes the private keys on the card as usable.


Top
 Profile  
Reply with quote  
PostPosted: Wed Jan 15, 2014 4:11 am 
Offline

Joined: Tue Nov 05, 2013 3:08 am
Posts: 17
ctoph1977 wrote:
oh lovely the git hub page has disappeared - now im curious wether i should publish my pull back even tho I couldn't get it to work.


Please do publish your pull, I'd like to see it.


Top
 Profile  
Reply with quote  
PostPosted: Wed Jan 22, 2014 7:55 pm 
Offline

Joined: Wed Jan 22, 2014 7:30 pm
Posts: 6
The libccid provided by apple is incredibly old and doesn't support most of the readers out there. You can add support for the Yubikey NEO, as well as many other useful readers by updating libccid and installing it over the Apple provided one.

This process is described on the libccid page. This works brilliantly and allows normal access to the NEO through pcscd.

If you want the PIV applet to show up in Keychain Access and be otherwise accessible to the OS, you need to install the OpenSC.tokend module in /System/Library/Security/tokend. You can build it, as well as OpenSC, or download binaries from the OpenSC repo.

Keep in mind, though, that if you install OpenSC.tokend, the Yubikey will be snatched up by the OS whenever it's inserted and will be inaccessible by GPG. If you want to use it with GPG, you'll need to kill the 'pcscd' process, first. (There must be some way to make gpg and pcscd play nice together, but I haven't yet worked it out. I'll certainly post the solution when I figure it out!)


Top
 Profile  
Reply with quote  
PostPosted: Wed Jan 22, 2014 9:47 pm 
Offline

Joined: Mon Jan 20, 2014 9:22 pm
Posts: 22
ppc wrote:
The libccid provided by apple is incredibly old and doesn't support most of the readers out there. You can add support for the Yubikey NEO, as well as many other useful readers by updating libccid and installing it over the Apple provided one.

This process is described on the libccid page. This works brilliantly and allows normal access to the NEO through pcscd.

If you want the PIV applet to show up in Keychain Access and be otherwise accessible to the OS, you need to install the OpenSC.tokend module in /System/Library/Security/tokend. You can build it, as well as OpenSC, or download binaries from the OpenSC repo.

Keep in mind, though, that if you install OpenSC.tokend, the Yubikey will be snatched up by the OS whenever it's inserted and will be inaccessible by GPG. If you want to use it with GPG, you'll need to kill the 'pcscd' process, first. (There must be some way to make gpg and pcscd play nice together, but I haven't yet worked it out. I'll certainly post the solution when I figure it out!)


You can download a pre-built CCID free software driver ("unofficial" warning, maybe) with NEO support from here:
https://github.com/martinpaljak/osx-ccid-installer

No, gpg and OpenSC.tokend don't match and probably never will, because that's the apparent design decision of GnuPG developers - their application needs to have exclusive access.

The interesting thing here is that while NEO does not provide any of the applets as default selected (there's cure for that) what gets picked up - OpenPGP or PIV - depends on your configuration and might not be what you want.

_________________
OpenKMS GlobalPlatform - simple way to manage applications on your NEO
Applet Playground - explore open source JavaCard applications
PGP: 0x307E3452


Top
 Profile  
Reply with quote  
PostPosted: Thu Jan 23, 2014 1:38 am 
Offline

Joined: Wed Jan 22, 2014 7:30 pm
Posts: 6
Quote:
No, gpg and OpenSC.tokend don't match and probably never will, because that's the apparent design decision of GnuPG developers - their application needs to have exclusive access.

Which is a shame, since GPG handles cards so poorly compared to OpenSC and ensures that certain connected readers are only ever used for one or the other.

You should be able to put the following in ~/.gnupg/scdaemon.conf and use pcscd (instead of the integrated CCID drivers) to access the card
Code:
pcsc-driver /System/Library/Frameworks/PCSC.framework/PCSC #This will be different for non-Macs
disable-ccid #Don't use the integrated CCID drivers
card-timeout 5 #Release the card after 5 seconds

...but I've never been able to get that to work. The version of scdaemon provided with MacGPG never looks at scdaemon.conf and I can't figure out exactly where it's being called from to change its arguments.

Quote:
The interesting thing here is that while NEO does not provide any of the applets as default selected (there's cure for that) what gets picked up - OpenPGP or PIV - depends on your configuration and might not be what you want.

Can you elaborate on this? How do you change the default applet and what is the effect of having a default applet selected?


Top
 Profile  
Reply with quote  
PostPosted: Thu Jan 23, 2014 11:22 am 
Offline

Joined: Mon Jan 20, 2014 9:22 pm
Posts: 22
ppc wrote:
Quote:
No, gpg and OpenSC.tokend don't match and probably never will, because that's the apparent design decision of GnuPG developers - their application needs to have exclusive access.

Which is a shame, since GPG handles cards so poorly compared to OpenSC and ensures that certain connected readers are only ever used for one or the other.

You should be able to put the following in ~/.gnupg/scdaemon.conf and use pcscd (instead of the integrated CCID drivers) to access the card
Code:
pcsc-driver /System/Library/Frameworks/PCSC.framework/PCSC #This will be different for non-Macs
disable-ccid #Don't use the integrated CCID drivers
card-timeout 5 #Release the card after 5 seconds

...but I've never been able to get that to work. The version of scdaemon provided with MacGPG never looks at scdaemon.conf and I can't figure out exactly where it's being called from to change its arguments.

Quote:
The interesting thing here is that while NEO does not provide any of the applets as default selected (there's cure for that) what gets picked up - OpenPGP or PIV - depends on your configuration and might not be what you want.

Can you elaborate on this? How do you change the default applet and what is the effect of having a default applet selected?


No apparent difference for default applet in case of piv or openpgp. Do use gpgtools.org and with a single reader you dont have to change anything iirc. I dont recall release card option though....


And i just used yubiclip to log on from a tablet. Nice.

_________________
OpenKMS GlobalPlatform - simple way to manage applications on your NEO
Applet Playground - explore open source JavaCard applications
PGP: 0x307E3452


Top
 Profile  
Reply with quote  
PostPosted: Thu Jan 23, 2014 9:06 pm 
Offline

Joined: Wed Jan 22, 2014 7:30 pm
Posts: 6
Quote:
Do use gpgtools.org and with a single reader you dont have to change anything iirc. I dont recall release card option though....


Actually, it looks like scdaemon does read its config file. If you add
Code:
reader-port "Yubico Yubikey NEO OTP+CCID 00 00" #Don't have to unplug other card readers to use gpg!

to ~/.gnupg/scdaemon.conf, gpg will read from the Yubikey even if it is not the only/first reader on your system.

Also, it looks like some of the other options in there are being handled. 'disable-ccid' and 'pcsc-driver' seem to be working, as all access is through pcscd. 'card-timeout' doesn't seem to be doing anything, though.

I think 'card-timeout' isn't working because gpg-agent is keeping a connection to scdaemon open. I use gpg-agent for ssh, though, so I can't really disable it. Frustrating! Who cares if gpg-agent has a connection open? I should be able to sleep the card until an actual transaction occurs.

We need a scdaemon that isn't so restrictive. Have you tried gnupg-pkcs11-scd?


Top
 Profile  
Reply with quote  
PostPosted: Thu Mar 05, 2015 9:11 pm 
Offline

Joined: Mon Mar 02, 2015 9:39 pm
Posts: 27
Cannot build gnupg-pkcs11-scd on Mac, because it needs pkcs11-helper, which does not exist on Mac, and porting did not work for me. :-(

I needed to modify the ~/.gnupg/scdaemon.conf:
Code:
reader-port "Yubico Yubikey NEO OTP+U2F+CCID 00 00"
reader-port "Yubico Yubikey NEO OTP+U2F+CCID 01 00"
pcsc-driver /System/Library/Frameworks/PCSC.framework/PCSC
disable-ccid
card-timeout 15 #Release the card after 15 seconds


In general, having GPGTools https://gpgtools.org installed provided with gpg2, gpg-agent, and scdaemon to use with NEO. I was able to secure email in OpenPGP mode using NEO and GPGTools.

Regarding PIV, the story is more difficult. It seems fairly straightforward to access NEO with tools from OpenSC https://github.com/OpenSC/OpenSC/releases, and using OpenSSL, or Keystore Explorer http://keystore-explorer.sourceforge.net/ (and of course yubico-piv-tool) one is able to generate keys & certificates, and load them on the NEO. The problem is - I'm not aware of any application that can use those certificates, either for email, or for login, or such.

OpenSC.tokend https://github.com/OpenSC/OpenSC.tokend recognizes NEO but cannot unlock it, or do anything useful with it (in fact it refuses to unlock any smart card, so there must be something wrong with my setup, but I can't figure out what it could be).
PKard does not recognize NEO (because NEO does not return Card Capabilities Container).

Update
After some change (among many - can't tell what exactly it was) OpenSC.tokend stopped recognizing NEO. But I guess I shouldn't complain because it started unlocking CAC and PIV cards successfully. Though at this time NEO PIV == No-Go.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 19 posts ]  Go to page Previous  1, 2

All times are UTC + 1 hour


Who is online

Users browsing this forum: Google [Bot] and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group